CC shared secret
James Firth
ukcrypto at chiark.greenend.org.uk
Wed, 6 Aug 2008 11:18:22 +0100
Roland Perry wrote:
> I just got an email (which seems to be genuine) from one of my credit
> card companies saying they have enroled me (unsolicited) in "Verified by
> Visa", and my password will be the answer to one of the "shared secrets"
> used during login to my online account with them.
>
> I wonder if that means they have a copy of that "shared secret answer"
> in the clear, in order to pass it to Visa - or are both organisations
> using the same one-way hash? Or is it something different, like the
> V-b-V dialogue when I make a purchase actually being "franchised" by my
> bank, with Visa not having the data at all?
As far as I am aware, the authentication is actually done by your bank, the
transaction being proxied by the Verified by Visa architecture.
The architecture and mechanism is called 3D, and the issuing bank must
support a 3D Secure interface.
Google of 3D and Verified by Visa may yield more details.
James Firth